What are some good web-based website security scanning solutions? I'm not too concerned if they are web-based solutions, or software that can be run locally.

Generally, I'm looking for something we can run to provide to clients some sort of certification that their sites are secure. A plus of some of the web-based solutions would be that they can automate it and provide a 'seal' proving the security check is up to date. An example of one I have seen is the GoDaddy Website Protection Site Scanner

That GoDaddy service sounds quite dodgy - similar to McAfee's notorious HackerSafe. More like "HackerTarget"... note I am NOT recommending that one.
–
AviD♦Nov 12 '10 at 1:17

interesting question, i simply wanted to say that usually companies certify their partner products based on code scanning with scanners like fortify veracode and others.
–
Phoenician-EagleNov 12 '10 at 1:32

Good point. Would it make sense to expand the question to also ask if a service like this is good/bad to publicize?
–
Doozer BlakeNov 12 '10 at 1:38

Say your customer has a brick and mortar store. How do you verify it is secure?

First you must understand the threat model. Is it a lemonade stand, a convenience store, or a jewelry store? They all require very different levels of security.

Then you must implement the controls required for that type of property. For a lemonade stand, a simple latching fishing box cash register is probably sufficient.

Finally, you must periodically monitor that the controls are working. Bank safes are rated in expected time to crack. There is no perfect security, and some sort of monitoring is almost always part of physical security. In low security environments this usually just happens by the staff being present at least periodically.

Likewise, there is no one size fits all answer in application security, no matter what vendor or consultant tells you otherwise. Perhaps asking a more specific question including details like: Are these sites handling payments? Are there regulatory requirements? If you're handling credit card data, the answer is probably yes. Are there logins? What personally identifiable data is being protected? etc...

Check out the Web Application Security Scanner List from The Web Application Security Consortium (WASC). Note, I'm one of the authors of Watcher which is a free and open source passive vulnerability scanner on this list. This list also includes the Software as a Service scanning solutions.

Going a bit off-topic from IT Security...a 'certification' is a very dangerous thing from a liability perspective.I would advise a good read of the small print on any 'certification' service - if they are offering something which will stand up when needed (ie if the website gets hacked you can claim or pass the blame) I would be very astonished.

What is much easier for a vendor to offer is a declaration of how appropriate the security is at a point in time, so that is what usually happens.

In a previous organisation, I would expect to charge 5-10 times as much if I was to give anything like a certification, as my risk and liability issues were significant.

How valuable is certification to you and your clients? Could you/they accept a report which advises on the website's security as compared with peers?

There are two types of web-based, website security scanners that I am currently aware of:

Ones that look for website and web application security defects

Ones that look for malware hosted on your website

Qualys provides services for both that are fairly standardized, cheap (for what you get), and run-of-the-mill. None of their scanning is very advanced and will not target your website or web application like a real hacker would. No scanner is capable of simulating a real hacker. There are a few bots such as Aprox that simulated an automated SQL injection attack, but this is only one tool in the toolchain of a modern adversary.

If the web application you are trying to test, assess, or audit for web application vulnerabilities has a real-world risk classification (i.e. it is under attack, or has been under attack in the past, or there is reason to believe that it will be attacked in the future) or data classification (i.e. it services data, or processes/stores/transmits data that is sensitive in nature) then it is in your best interest to contact an Application Security Consulting company. You should prefer working with partners that you have a good referral for and that you have had success with working in the past. It is also good to establish business partners that cater to your specific industry vertical or situation. Most of the good ones are small, security boutiques with 5-15 employees/contractors, but if your company is large enough, you might want to choose a larger firm to co-ordinate the work with the smaller firms.

If you are under attack and require help with your incident management, I suggest similar boutiques that specialize in incident response and malware research. You can find more information about what is offered from industry analysts such as Gartner, Forrester Research, etc -- but there are also smaller security boutiques that specialize in industry analysis that are certainly worth checking out.